Mojo Trust

Data Center Certification

We hold a high standard for IaaS providers. Among other criteria, we require our IaaS providers to demonstrate:

• ISO 27001:2013 certification
• SSAE 16 SOC 1, SOC 2 and SOC 3 certification
• Regular audits of physical, logical and data security controls performed by validated third parties

Together our IaaS provider and cloud operations team have put in place a series of environmental controls to ensure the physical and network security of your Mojo experience.

Three-Tier Firewall System

Three firewalls exist between the Internet and your individual cloud instance to deliver maximum protection.

• At the outermost boundary a perimeter firewall surrounds the Mojo cloud infrastructure. This firewall is focused on blocking network scans, attacks and external connection attempts, keeping the entire Mojo cloud protected from external threats. The firewall rules here are managed by the IaaS provider and reviewed and updated every 24 hours.
• Within the Mojo cloud a firewall surrounds each physical host. This firewall looks for and stops activities like promiscuous mode and host IP spoofing to reinforce the logical separation of tenets within the service provider’s data centers. Again, the firewall rules here are managed by the IaaS provider and reviewed and updated every 24 hours.
• We implement our own firewall between virtual hosts as well. Here we have complete control and use it to strictly enforce which ports are allowed inbound and outbound to access any particular virtual instance.

Regular Vulnerability Scans

We run regular vulnerability scans to validate firewall settings; in particular those rules that govern port allowances. These scans help ensure that firewall rules have been deployed successfully.

Web Application Security

Web application security scans focus on finding vulnerabilities at the web application level. The objective of web application security scans is to ensure that there are no exploitable vulnerabilities if an unauthorized user attempts to access the application.

Mojo Networks deploys 24x7 automated WAS scanning using WhiteHat Security services and complements it with twice a year manual (deep) scans by WhiteHat Security experts.

Physical and Environmental Security

The IaaS provider enforces strict rules around physical access to data centers. These include (but are not limited to):

• Two-factor authentication at every point of ingress into and within data centers
• Active monitoring by professional security staff using video surveillance, intrusion detection systems and other electronic means
• Maintaining access logs and performing periodic audits of those logs

Local Traffic Breakout

The Mojo platform uses a controller-less architecture to support its wireless access point and cloud managed communication. As such there are some inherent advantages to this architecture in regards to data security, such as

• Client data passed along wireless networks never enters the cloud
• Traffic flow from access point to cloud is strictly for management data only and occurs using an AES-encrypted channel over a private UDP port
• Access points connect to the cloud in order to pass and receive management data using HMAC-SHA1 authentication

Platform Encryption and Certification

The Mojo platform is featured prominently in many federal and state government organizations. As such the encryption used between components of the platform is Federal Information Processing Standard (FIPS 140-2) certified. Certain products within the Mojo platform are also Common Criteria EAL2+ certified. These certifications along with other elements have made certain products within the Mojo platform eligible under the DISA UC APL.

Encryption of Data at Rest and in Transit

Mojo encrypts data in transit using AES. This includes management GUI (HTTPS) communication between the Mojo access point and the cloud and all interactions between different Mojo servers and applications in the cloud (HTTPS.

AES encryption is also applied to data at rest. Database backups of Mojo applications in the cloud are stored in AWS S3 and Glacier that are also AES encrypted. The live database of Mojo Wireless Manager (MWM), the flagship application that provides the wireless management console, resides in AWS EBS (Elastic Block Storage) and is also AES encrypted.

End User Data Protection

Any wireless network that would ask for end user information as part of or in addition to logging into the network itself is collected in an opt-in fashion only, with complete disclosure to the end user at the time of information collection. Certain information that is collected from the airspace via passive scanning is obfuscated via a one-way MD5 hashing algorithm and is exposed only when generating anonymous statistical data.

Data Residency

As a global cloud platform we make sure data within a specific data center is in the same jurisdictional country as the customer's network location. Through our IaaS provider we leverage data centers around the world to comply with local data residency regulations.

Secure Transfer

All communication to the cloud is handled over HTTPS using secure TLS 1.2 256-bit encryption.

Password Policies

Administrators can enact a number of password policies including:

• Maximum failed login attempts
• Lockout period timeframe
• Minimum password lengths
• Forcing 2-factor authentication

Two-Factor Authentication

The Mojo cloud platform supports two-factor authentication, leveraging something the user “knows” in the form of their password and something the user “has”. To accomplish this second factor, we have designed a one-time password (OTP) system.

• Users receive a randomly generated one-time password on demand from the Mojo cloud while they are logging in
• This OTP is sent via email and is only valid for ten minutes
• After the intial login, users can generate a shared key (if desired) to be used by any time-based TOPT generator app (like Google Authenticator) for future OTP generation

Federated Login

The Mojo cloud supports Federated Login, allowing administrators to integrate any identity provider for account management outside of the Mojo cloud directly. We support the SAML 2.0 protocol and use a SHA256 secure hash algorithm to establish a secure connection with the remote identity provider.

Replicated Directories

The core directories which store information necessary for access point redirection and user console sessions across the Mojo cloud managed platform are not only replicated across multiple data centers, but are maintained in full sync. This provides a high level of fault tolerance and reliability to the directory layer should an individual data center experience a slight or prolonged interruption.

Fault Tolerance for Virtual Cloud Instances

The virtual cloud instances that support the primary services of the Mojo cloud managed platform are deployed on a EC2 Hypervisor with N+1 redundancy. This means that if any of the N virtual instances fails, there is a standby virtual instance ready to take up processing of the failed instance. The transition happens automatically. Note that during the failover, the edge wireless connectivity and security are not impacted due to the smart edge processing described above.

Reliability of Storage

Mojo instances in EC2 use Elastic Block Storage (EBS) for persistent storage. The EBS is a high grade Storage Area Network (SAN). The SAN provides redundancy and automatic failover. The failover is transparent to the EC2 compute instances.

All factors considered, Mojo Networks assures 99.95% availability for its cloud managed platform around the world.

Disaster Recovery

Disaster events are characterized as rare catastrophic events such as earthquakes or terrorist attacks that might cause the entire data center or a significant part of it to be physically devastated. The Mojo cloud architecture is capable of supporting full 1:1 redundancy across geographically separated data centers with automatic failover. However, such a configuration can be costly for end users as it requires almost twice as many resources in use in the cloud at once.

As a result we implement an alternative disaster recovery solution that strikes a strong balance between cost and protection. We automatically back up customer databases in the EBS every day. These backed-up databases are stored in S3 storage, a service that offers encryption and redundancy for backups. In the event of a disaster, our Mojo cloud operations team is equipped to start new EC2 instances for all affected customers at a different data center using the backed up databases. This way, you network management can be operational within hours from its last known state that itself is no more than 24 hours past.